'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-02-09 23:00:11.369883 2017-02-09 23:00:53.464309 42 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2017-02-09 23:00:12 2017-02-09 23:00:53

File Details

File name c318986e43329207445f6dbf2f74479650472c86.zip
File size 11282302 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 4FA9FBDD
MD5 8fc645d5d9c0f8417f4adc2bf0ffe03a
SHA1 c318986e43329207445f6dbf2f74479650472c86
SHA256 e4bb42e469b77bd18030e594dcd96f75f6569b76949dca574189747c4e962e88
SHA512 7501ff7198d6ca3dbc9a68de6219670b48ea1414940c96ac2e872afc8a470b0a43a03c422b8873a9892ed3e0f55480a3d567b86016b7550a984365d26c3a4fc9
Ssdeep 196608:wKqLs25FFfjPHMaHJzl5Iq3oEe8QpulAPrAbkdTzcGpuds6YPeWGSkyTFv:xOvfrb59oEe3aAKklzcWM2GSkyT1
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1486681262]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
LavasoftTcpService.exe: vmdetect


Zipped File Yara Signatures:
Application/BCUEngineS.dll: Str_Win32_Http_API

Signatures

recon_fingerprint details
antivm_memory_available details
antiav_detectfile details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

81b80aeda65fdb38_lavasofttcpservicer.log

LavasoftTcpService.exe

Network Analysis

Hosts Involved

DNS Requests

Behavior Summary

File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\LavasoftTcpServicer.log
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\LavasoftTcpServicer.log
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LavasoftTcpService
  • HKEY_CURRENT_USER\AppID\{2CE0F1DC-C504-4B7B-A385-D94A2531DFFB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_CLASSES_ROOT\AppID
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\TcpService\2.3.4.7\LavasoftTcpService.exe" PID: 148, Parent PID: 4412

Volatility

Nothing to display.